Skip to main content

Recovery Key Export

If you need to decrypt a large number of files, you can use the Export event type to export the disaster recovery private key from a keycard. This is a more dangerous operation, as the key is now fully reconstructed outside of a smart card, and could be exfiltrated by malware or a malicious actor. We recommend using this only when necessary, and on a secure computer.

To export the key, you first need to propose an Export event and explicitly provide the --event-type export flag or choose export when prompted for the event type:

am dr propose
> Select a delegation: Production: d588e62cb2059e15e9021d212a320553
> Please select an event type: export
> Please enter a comment (less than 40 characters): Propose for testing
2 proposal requests saved

After this, run the auto command on each of the remaining cards until you reach a quorum (e.g. one additional card in my example) similar to the process of approving a Usage event:

am dr auto
There is a pending DR event request for this card (#1002001097)

 ┌─► DR Event Request for #1002001097
 │ Delegation name: Production
 │ Delegation fingerprint: d588e62cb2059e15e9021d212a320553
 │ Proposing keychain: 1002001096
 │ Proposing fingerprint: c2159e9761af9299742530e20401fafe
 │ Signature: VALID
 │ Event type: Export
 │ Event ID: 2
 │ Comment: Propose for testing

? Approve the Request? (Y/n) y
ⓘ  approval record saved

After collecting enough approvals, re-insert the initial card that proposed the Export event and run auto:

am dr auto
ⓘ  event opened for delegation "Production"

At this point, you have an open event to export the DR private key (aka "recovery key"). You may now run the export command to extract the recovery key from the keycard that proposed the event:

am dr export --file disaster_recovery_key_private.pem
> Select a delegation: Production: d588e62cb2059e15e9021d212a320553

You now have the recovery key in the file disaster_recovery_key_private.pem on your local computer. You can use this key to decrypt any file encrypted with the DR public key. In fact, decrypting Antimatter capsules as well as arbitrarily encrypted files use the same recovery command. The following example decrypts a file encrypted with am dr encrypt using the extracted key file:

am dr recover --in ./ciphertext --recovery-key ./disaster_recovery_key_private.pem --file ./recovered.txt

After exporting the key, you can close the event with the close command. This removes the reconstructed disaster recovery private key from the key card, and you will need to propose a new event if you need to export the key again. However, keep in mind that exporting the disaster recovery private key from the keycards is potentially dangerous and utmost care should be taken with the key file. It is highly recommended you delete the key file once it is no longer needed.

am dr close
> Select a delegation: Production: d588e62cb2059e15e9021d212a320553